24 Hour Fitness Rolling Out Fingerprint-Based ID Entry System

Gym chain 24 Hour Fitness is getting some attention for a new program that uses members’ fingerprints to replace the gym’s existing photo ID system.

A rep for 24 Hour Fitness says that even though the system scans members’ fingerprints, they have no plans to keep the prints on file. He says that members will select a PIN, then have their fingerprints scanned. This will generate a second code number.

“What we actually store is the number that is generated by the scan,” explains the rep. “We’re not actually keeping an image of your fingerprint. We’re storing a number.”

The rep says that the program is optional, so for those who balk at the idea of having their prints scanned at all, they will still be allowed to use their photo ID. He claims that test markets for the fingerprint program have seen “97 percent of our members had decided to opt in to the new system as their preferred check in… Overwhelmingly, it’s been positive.”

The 24 hour fitness locations here require that patrons have a photo ID on them in addition to the membership card. They refuse to scan the membership card until one presents gov issued photo ID of some sort.

This is rich. If you thought it was bad when a company’s servers get cracked and someone steals millions of credit card numbers, wait until they steal the “Digital representation of your finger”. The card numbers can be revoked where as your fingerprint’s “code” can never, ever, ever, never, ever be revoked.

Because a numeric hash derived from your fingerprint scan is somehow less private than giving the gym your driver’s license and credit card number when you sign up? Or your checking account and routing number?

I have gone to a 24-hr gym with a fingerprint system for two years. Maybe once every two months, the system has a hiccup and I can’t get in, but it’s also comforting that my moochy family members can’t try to steal my pass like they did at the Y.

It sounds like the rep is telling the truth. Biometric scanners use minutae – the points where your fingerprints join or diverge – to develop a map that identifies you. That result gets compared against your actual fingerprint when you scan it.

Maybe these technologies wouldn’t inspire such fear if people were better educated. Then again, the government lies about photographs from those TSA scanners, so how do you trust anyone?

I’ve been to places that have hand or fingerprint scanners instead of ID scanners. They’re terrible. With the amount of people coming in, the things need to be wiped down constantly or they get so gunked up with oil and grime that they can’t read the print properly.

It’s also faster if there are a bunch of people coming in. That way it’s just a quick press of the thumb scanner instead of handing your card to the person at the desk and waiting while they scan each one.

That being said I work in IT and my thumbprint gets me into some pretty secure areas. I’d be uncomfortable using my thumb print for something like that. I’d try and use a different finger.

I would actually welcome this at my gym. The trouble is that my gym has two levels of membership and different locker rooms to go with them. So you need your membership tag not just to get into the building but also into the locker room. And that means you have to carry the tag with you to your workout, which is inconvenient. If I could swipe into the locker room with a fingerprint, that’d be good.

Of course, I don’t know how well fingerprint scanners work of people who’ve been in a swimming pool for the last 2 hours.

It’s definitely optional. My gym put them in recently, and everyone is still opting to use the ID cards… I haven’t seen a single person use the fingerprint scanners. The staff (wisely) are saying nothing and pretending like the fingerprint scanners aren’t there.

So I work for a university where we have a student ID card. Our rec center is going through the exact transition and they come to us because we use biometric access in some of our buildings. (places where security has to be high because of the sensitive nature of the materials) Our system does not store finger prints. Our system reads the minutiae (http://bit.ly/cbjHdL) and stores an algorithm from the finger print. Each individual is assigned a unique id number based on the minutiae. The reason our rec center wants to use bio for access is because our students often forget their id cards and they tend not to return to the gym a second time. Obviously the gym wants students to take advantage of the service. So, as an administrator of this type of system, I like it. We spend a lot of money ensuring the highest levels of security and we implement the most cutting edge tech possible (ie multiple levels of encryption, top of the line cards, readers, and key management policies) As a user of the rec center I like not using my card because I dont have to carry it around or worry about lossing it while in the pool or on the treadmill. The company may have some questionable practices around data management but that is not a problem with the technology. I would ask them a lot of questions about how they manage data and hoe access is provisioned to users.

I go to 24-Hour Fitness and am signed up for the scanners. It’s totally convenient, especially when there’s a line of people who haven’t signed up waiting to use their cards. I had my fingerprints taken during the kidnapping freakout wave of the ’80s, so what’s one more?

They’re definitely not infallible, ask anyone (like myself) who works with the scanners. I notice it from having to test them daily for use, there are natural fluctuations in the quality and readability of your prints. Especially people who work with their hands like brick layers and painters.

I think this program sucks and is a privacy violation. Whatever program they used to scan the fingerprint and turn it into a number can be reversed. If their database gets hacked, how do I change my PIN? Oh, I have 9 others? What about the one that’s been lost to the wild?

How do I know their system does what they claim or think it does and that it’s not doing something else?

No no no, the simple solution is the best – keep a list of your customers, and have the person just show you a state ID or DL with a pic on it and look it up…

I will NEVER give anyone a fingerprint, hand print, palm scan, retinal scan, or iris photo – biometrics are mine. Not theirs. Just say no. Even better – work out at home and screw the gym…

Wrong – Collisions are found, or flaws in the hashing algorithm are discovered. That’s why we moved from MD5 to SHA1, and from SHA1 to now SHA256…

It *MAY* be secure for a brief period of time, but how long is that? Fact is, if I don’t use this technology then I don’t have to worry about any possibilities of collisions, flaws, or things that the NSA may know that the rest of us don’t.

So have I, that’s why I refuse to use the systems that implement biometric access. Remember the asian researcher who used some gummy to duplicate someone’s fingerprint? Once you start using biometrics to authenticate, then the person who allegedly authenticated through a system is in the unholy position of proving that they weren’t actually there and that someone reproduced their biometrics somehow.

Don’t use the system, and this is one less worry to have.

Another concern is that as the use of the systems expands, risk increases to the user. If someone knows that you work for company X, and they use a fingerprint system and that you frequent the gym, then they simply get your fingerprint from something you touch at the gym, and use it to obtain the access they need at the company.

We have fobs on a chain or key holder and when we wave it a photo of our face pops up. If it doesn’t match, an alarm goes off. Or if two people try to come thru on same swipe. Costs are kept low when people don’t cheat.

The issue isn’t entirely what 24 Hour Fitness is doing with the fingerprints, it’s what others can do with them when they steal 24 Hour Fitness’ member database. So they store a number, eh? Like an MD5 hash or so? Easy to rebuild the image from the number.

I used to go to a 24 hour gym, and one of the most annoying things in the world was the gaggle of frat boys rolling in at 10 pm when only one of them had a membership. I think a tighter control over who has access at all hours of the night isn’t a bad thing at all, and I’m sure the later-hours members would agree. Nothing sucks worse than trying to work out when there are others milling about that have no business being there. They’re disrespectful to the equipment and obnoxious.

My concern is not privacy at all. It is touching my hands where someone else does. What if I scan mine after the guy who just took a dump and the tp was one ply? I will not touch a door knob with my bare hands, so if I need to touch something, I would be freaking out.

As a computer system engineer I have to point out that there’s no way to key the id to the fingerprint without storing enough individually identifying characteristics of the fingerprint to uniquely identify the key. Sorry, 24-hour fitness, but that’s just not possible.

I work for 24 Hour Fitness and our club is slated to have the fingerprint scanners installed later this year. After working in the fitness industry for nearly six years as a front desk attendant I can tell you that this is actually a great thing. Not only will the new system cut down on the amount of cards our members have to carry it will also cut down on fraud. I have seen the things that people do to try to trick the front desk employees including using fake IDs. It will also cut down on how often the front desk employees get sick during cold and flu season from being passed cards all day long. I worked at another fitness chain years ago and even with hand sanitizer I was sick three times a year because of people handing me their dirty keys all day long.

Just a quick update on this one: I was given a deadline to go to the fingerprint system. this week. I asked if it was optional, and told yes. But, if it’s busy, you’ll have to wait until everyone else goes in. So, essentially, I have the OPTION to become a second class citizen at my own gym (paying full price) for not wanting to scan my prints (which the government have on file for an actual good reason). I’m just going to say no.

ps. don’t the counter people see that this is essentially just a way of eliminating their jobs???

24 Hour Fitness has been increasingly trying to get me to sign up to their fingerprint system. Today I was refused entrance because my Govt issued picture ID was a photocopy and not the original. I have been a member for a number of years and a photo copy of my ID has always been accepted. There were no signs informing me of this policy change, nothing in the mail, and when I came in on Monday and Tuesday, no staff member informed me of any upcoming change. An organization like this can not be trusted with fingerprint data, they are unscrupulous and dishonest.